From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com To: 9fans@9fans.net Date: Tue, 31 Aug 2010 16:20:30 +0200 Subject: [9fans] how to lock cpu console Message-Id: Topicbox-Message-UUID: 4b25f57e-ead6-11e9-9d60-3106f5b1d025 Hi all, how to lock (protect by password) the cpu console? In default install afterboot the console is logged by user bootes. Is there a way to avoid this? tia, bye -- Maurizio Boriani irc: #defocus@freenode.net PGP key: 0xEBBFF70D => A5 96 C1 30 00 78 0C 78 57 5D 3E 05 C2 A4 6D 53 <= Crudelitas in animalia est tirocinium crudelitatis contra homines From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com (baux80 at gmail.com) Date: Tue, 31 Aug 2010 16:20:30 +0200 Subject: [9fans] how to lock cpu console Message-ID: Topicbox-Message-UUID: 4bf6c3a2-ead6-11e9-9d60-3106f5b1d025 Hi all, how to lock (protect by password) the cpu console? In default install afterboot the console is logged by user bootes. Is there a way to avoid this? tia, bye -- Maurizio Boriani irc: #defocus at freenode.net PGP key: 0xEBBFF70D => A5 96 C1 30 00 78 0C 78 57 5D 3E 05 C2 A4 6D 53 <= Crudelitas in animalia est tirocinium crudelitatis contra homines From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Tue, 31 Aug 2010 10:29:16 -0400 To: 9fans@9fans.net Message-ID: <9ce3581805c172592b99ac52970f7d46@plug.quanstro.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4b2a2c02-ead6-11e9-9d60-3106f5b1d025 On Tue Aug 31 10:21:42 EDT 2010, baux80@gmail.com wrote: > > Hi all, > how to lock (protect by password) the cpu console? In default install > afterboot the console is logged by user bootes. Is there a way to avoid this? > the quick answer is that it's not possible out of the box. previous discussions here (and one spurious Promula model): http://9fans.net/archive/?q=%27console+%28.|\n%29*lock+|%28^|+%29lock+.*%28.|\n%29console%27&go=Grep - erik From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 31 Aug 2010 15:31:49 +0100 Message-ID: From: Robert Raschke To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=0016e68cbdc804d888048f1f7135 Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4ba4e870-ead6-11e9-9d60-3106f5b1d025 --0016e68cbdc804d888048f1f7135 Content-Type: text/plain; charset=UTF-8 On Tue, Aug 31, 2010 at 3:20 PM, wrote: > > how to lock (protect by password) the cpu console? In default > install > afterboot the console is logged by user bootes. Is there a way to avoid > this? > > > Usually, you'll find people put it in a cupboard or room that you can physically lock. I think someone may have made a screen lock for a cpu/file server, but I cannot find it now. The standard thinking is that your servers are yours, so you keep them safe. No one needs a public console to them. Robby --0016e68cbdc804d888048f1f7135 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
On Tue, Aug 31, 2010 at 3:20 PM, <baux80@gmail.com> wrote:

=C2=A0 =C2=A0 =C2=A0 =C2=A0how to lock (protect by password) the cpu conso= le? In default install
afterboot the console is logged by user bootes. Is there a way to avoid thi= s?



Usually, you'l= l find people put it in a cupboard or room that you can physically lock. I = think someone may have made a screen lock for a cpu/file server, but I cann= ot find it now. The standard thinking is that your servers are yours, so yo= u keep them safe. No one needs a public console to them.

Robby
=C2=A0
--0016e68cbdc804d888048f1f7135-- From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: Date: Tue, 31 Aug 2010 10:55:59 -0400 Message-ID: From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4bab4378-ead6-11e9-9d60-3106f5b1d025 On Tue, Aug 31, 2010 at 10:20 AM, wrote: > > Hi all, > =C2=A0 =C2=A0 =C2=A0 =C2=A0how to lock (protect by password) the cpu cons= ole? In default install > afterboot the console is logged by user bootes. Is there a way to avoid t= his? > > tia, > > bye > > -- > Maurizio Boriani > irc: #defocus@freenode.net > PGP key: 0xEBBFF70D > =C2=A0=3D> A5 96 C1 30 00 78 0C 78 =C2=A057 5D 3E 05 C2 A4 6D 53 <=3D > Crudelitas in animalia est tirocinium crudelitatis > =C2=A0contra homines > > Hi Maurizio This seems to come up every so often. The usual answer, and the one which I use, is "who cares?" :) Where is your CPU server located? Are there that many untrustworthy types passing through every day? I left one of my CPU/auth/file servers sitting in a campus lab, accessible by grad students and some undergrad courses, for over two years and never saw so much as an "ls" entered, even though I had the keyboard, mouse, and monitor hooked up the whole time. My biggest problem was that people kept unplugging the network cable to use with their laptops! Right now, I have my CPU/auth/file server sitting in a different lab, with no input or output devices connected. That in itself is good enough to stop casual meddlers. Of course, if you have non-casual meddlers, somebody who is willing to drag over a monitor and a keyboard just to fiddle with your PC, you'll want to take further steps. Although I've never done it, I expect you should be able to modify /cfg//cpustart to prevent local access. Maybe a simple while/sleep loop would do the job? There is also, somewhere, a screen locker program that (I think) Rob wrote a few years back; I compiled it and used it successfully last year, and you could certainly stick that in your cpustart to automatically lock the screen. However, for the life of me I can't find the code right now, so maybe somebody else can point to it. A lot of people ask this kind of thing when they start using Plan 9. I did. I think it comes from the illusion of safety given by the way Linux and Windows and Mac OS X all ask for usernames and passwords when they boot, despite the fact that only the most casual of "attacker" would be put off by that, rather than, say, rebooting with a LiveCD and grabbing your data that way. There's something to be said for deterring casual fiddlers who can't help but touch an open computer, though, and luckily it's not too hard in Plan 9. John --=20 "With MPI, familiarity breeds contempt. Contempt and nausea. Contempt, nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Tue, 31 Aug 2010 11:04:06 -0400 To: slawmaster@gmail.com, 9fans@9fans.net Message-ID: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4bb361f2-ead6-11e9-9d60-3106f5b1d025 > There is also, somewhere, a screen locker program that (I think) Rob > wrote a few years back; I compiled it and used it successfully last > year, and you could certainly stick that in your cpustart to > automatically lock the screen. However, for the life of me I can't > find the code right now, so maybe somebody else can point to it. i didn't suggest lock for cpu servers since it requires rio. seems silly to run rio on the console just to lock it. and unfortunately, i think this method would also interfere with the serial console. and it wouldn't be immune to a three-fingered salute, ^P, ^T^Tr, and other hilarity. since there are no interrupts on the console, it would seem trivial to me to, ahem, lock down the console with a 10 line program. you'd be left with defending against ^T^Tr, ^P, etc. but then again, the power button or network cable is sooo convienent. heck, just take the machine home. :-P. - erik From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> Date: Tue, 31 Aug 2010 08:25:21 -0700 Message-ID: From: David Leimbach To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: multipart/alternative; boundary=0015175caa2a7b8154048f2030f7 Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4bc11824-ead6-11e9-9d60-3106f5b1d025 --0015175caa2a7b8154048f2030f7 Content-Type: text/plain; charset=ISO-8859-1 In short. Physical access trumps all other locking mechanisms anyway. CPU servers were not meant to be workstations, and the lack of a screen lock shows that. But then workstations are easily stolen. 2 were taken from the building where I work in the last weeks at a law firm office (we share our building IANAL), and no amount of screen locks saved those. However I still screensaver lock my desktop when I leave for the weekend. Not that it'd matter, if someone really wanted my data they could get it. Dave On Tue, Aug 31, 2010 at 8:04 AM, erik quanstrom wrote: > > There is also, somewhere, a screen locker program that (I think) Rob > > wrote a few years back; I compiled it and used it successfully last > > year, and you could certainly stick that in your cpustart to > > automatically lock the screen. However, for the life of me I can't > > find the code right now, so maybe somebody else can point to it. > > i didn't suggest lock for cpu servers since it requires > rio. seems silly to run rio on the console just to lock it. > and unfortunately, i think this method would also interfere > with the serial console. and it wouldn't be immune to > a three-fingered salute, ^P, ^T^Tr, and other hilarity. > > since there are no interrupts on the console, it would seem > trivial to me to, ahem, lock down the console with a 10 line program. > you'd be left with defending against ^T^Tr, ^P, etc. > but then again, the power button or network cable is sooo > convienent. heck, just take the machine home. :-P. > > - erik > > --0015175caa2a7b8154048f2030f7 Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable In short. =A0Physical access trumps all other locking mechanisms anyway.
CPU servers were not meant to be workstations, and the lac= k of a screen lock shows that. =A0But then workstations are easily stolen. = =A02 were taken from the building where I work in the last weeks at a law f= irm office (we share our building IANAL), and no amount of screen locks sav= ed those.

However I still screensaver lock my desktop when I leav= e for the weekend. =A0Not that it'd matter, if someone really wanted my= data they could get it.

Dave



On Tue, Aug 31, 2010 at 8:04 AM, er= ik quanstrom <quanstro@quanstro.net> wrote:
> There is also, somewhere, a screen locker program th= at (I think) Rob
> wrote a few years back; I compiled it and used it successfully last > year, and you could certainly stick that in your cpustart to
> automatically lock the screen. However, for the life of me I can't=
> find the code right now, so maybe somebody else can point to it.

i didn't suggest lock for cpu servers since it requires
rio. =A0seems silly to run rio on the console just to lock it.
and unfortunately, i think this method would also interfere
with the serial console. =A0and it wouldn't be immune to
a three-fingered salute, ^P, ^T^Tr, and other hilarity.

since there are no interrupts on the console, it would seem
trivial to me to, ahem, lock down the console with a 10 line program.
you'd be left with defending against ^T^Tr, ^P, etc.
but then again, the power button or network cable is sooo
convienent. =A0heck, just take the machine home. =A0:-P.

- erik


--0015175caa2a7b8154048f2030f7-- From mboxrd@z Thu Jan 1 00:00:00 1970 References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> Message-Id: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> From: Skip Tavakkolian To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-Reply-To: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> Content-Type: text/plain; charset=us-ascii; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (iPhone Mail 7E18) Date: Tue, 31 Aug 2010 08:25:26 -0700 Cc: "9fans@9fans.net" <9fans@9fans.net> Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4bc55d4e-ead6-11e9-9d60-3106f5b1d025 Steve has a conslock in sources. I have a couple of CPUs in open areas that I lock using it. Put it as the last action in /cfg/machine/cpurc to lock on startup. Sent from my iPhone On Aug 31, 2010, at 8:04 AM, erik quanstrom wrote: >> There is also, somewhere, a screen locker program that (I think) Rob >> wrote a few years back; I compiled it and used it successfully last >> year, and you could certainly stick that in your cpustart to >> automatically lock the screen. However, for the life of me I can't >> find the code right now, so maybe somebody else can point to it. > > i didn't suggest lock for cpu servers since it requires > rio. seems silly to run rio on the console just to lock it. > and unfortunately, i think this method would also interfere > with the serial console. and it wouldn't be immune to > a three-fingered salute, ^P, ^T^Tr, and other hilarity. > > since there are no interrupts on the console, it would seem > trivial to me to, ahem, lock down the console with a 10 line program. > you'd be left with defending against ^T^Tr, ^P, etc. > but then again, the power button or network cable is sooo > convienent. heck, just take the machine home. :-P. > > - erik > From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Tue, 31 Aug 2010 20:18:09 +0200 Message-ID: From: Francisco J Ballesteros To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4be85b46-ead6-11e9-9d60-3106f5b1d025 for cpu servers, I sometimes add cat /dev/kmesg /dev/kprint to cpurc. as the console does not run rio and you can't hit Del to kill them, they suffice to lock the keyboard. there was also the lock program from Rob Pike, IIRC, posted here long ago, I think. perhaps not On Tue, Aug 31, 2010 at 5:25 PM, Skip Tavakkolian wrote: > Steve has a conslock in sources. I have a couple of CPUs in open areas th= at > I lock using it. Put it as the last action in /cfg/machine/cpurc to lock = on > startup. > > Sent from my iPhone > > On Aug 31, 2010, at 8:04 AM, erik quanstrom wrote= : > >>> There is also, somewhere, a screen locker program that (I think) Rob >>> wrote a few years back; I compiled it and used it successfully last >>> year, and you could certainly stick that in your cpustart to >>> automatically lock the screen. However, for the life of me I can't >>> find the code right now, so maybe somebody else can point to it. >> >> i didn't suggest lock for cpu servers since it requires >> rio. =C2=A0seems silly to run rio on the console just to lock it. >> and unfortunately, i think this method would also interfere >> with the serial console. =C2=A0and it wouldn't be immune to >> a three-fingered salute, ^P, ^T^Tr, and other hilarity. >> >> since there are no interrupts on the console, it would seem >> trivial to me to, ahem, lock down the console with a 10 line program. >> you'd be left with defending against ^T^Tr, ^P, etc. >> but then again, the power button or network cable is sooo >> convienent. =C2=A0heck, just take the machine home. =C2=A0:-P. >> >> - erik >> > > From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Tue, 31 Aug 2010 13:54:36 -0600 Message-ID: From: andrey mirtchovski To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4c0875b6-ead6-11e9-9d60-3106f5b1d025 here's something quite old which used to work: http://mirtchovski.com/lanlp9/rlock/index.html From mboxrd@z Thu Jan 1 00:00:00 1970 Message-ID: To: 9fans@9fans.net Date: Tue, 31 Aug 2010 13:45:16 -0700 From: Skip Tavakkolian <9nut@9netics.com> In-Reply-To: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4c0d65a8-ead6-11e9-9d60-3106f5b1d025 see: /n/sources/contrib/steve/rc/conslock if you have more than one cpu, change this line: pwd=$home/lib/conslock.hash to pwd=$home/lib/conslock.^$sysname^.hash From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 01:21:45 -0300 Message-ID: From: "Federico G. Benavento" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4c668944-ead6-11e9-9d60-3106f5b1d025 now there's also screenlock(8) http://plan9.bell-labs.com/magic/man2html/8/screenlock similar to conslock, but authenticates against the auth server On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrote: > see: /n/sources/contrib/steve/rc/conslock > > if you have more than one cpu, change this line: > =C2=A0 =C2=A0 =C2=A0 =C2=A0pwd=3D$home/lib/conslock.hash > to > =C2=A0 =C2=A0 =C2=A0 =C2=A0pwd=3D$home/lib/conslock.^$sysname^.hash > > > --=20 Federico G. Benavento From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 00:44:58 -0400 Message-ID: From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4c7319a2-ead6-11e9-9d60-3106f5b1d025 Don't do this under drawterm, at least not on Windows. It'll gobble your mouse right up, or at least it did mine. Of course, there's no reason to run this in drawterm, since your host OS is certain to have its own screen locker... John On Wed, Sep 1, 2010 at 12:21 AM, Federico G. Benavento wrote: > now there's also screenlock(8) > > http://plan9.bell-labs.com/magic/man2html/8/screenlock > > similar to conslock, but authenticates against the auth server > > On Tue, Aug 31, 2010 at 5:45 PM, Skip Tavakkolian <9nut@9netics.com> wrot= e: >> see: /n/sources/contrib/steve/rc/conslock >> >> if you have more than one cpu, change this line: >> =C2=A0 =C2=A0 =C2=A0 =C2=A0pwd=3D$home/lib/conslock.hash >> to >> =C2=A0 =C2=A0 =C2=A0 =C2=A0pwd=3D$home/lib/conslock.^$sysname^.hash >> >> >> > > > > -- > Federico G. Benavento > > --=20 "With MPI, familiarity breeds contempt. Contempt and nausea. Contempt, nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com (baux80 at gmail.com) Date: Wed, 1 Sep 2010 11:48:31 +0200 Subject: [9fans] how to lock cpu console In-Reply-To: References: Message-ID: Topicbox-Message-UUID: 4c87170e-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 10:55, John Floren wrote: > > This seems to come up every so often. The usual answer, and the one > which I use, is "who cares?" :) Where is your CPU server located? Are > there that many untrustworthy types passing through every day? ok, you unmasked me :-) It was only a teoric question... not a real need :-) > I left > one of my CPU/auth/file servers sitting in a campus lab, accessible by > grad students and some undergrad courses, for over two years and never > saw so much as an "ls" entered, even though I had the keyboard, mouse, > and monitor hooked up the whole time. My biggest problem was that > people kept unplugging the network cable to use with their laptops! mine too :-) [...] > There is also, somewhere, a screen locker program that (I think) Rob > wrote a few years back; I compiled it and used it successfully last > year, and you could certainly stick that in your cpustart to > automatically lock the screen. However, for the life of me I can't > find the code right now, so maybe somebody else can point to it. this sounds good, a screen locker called by cpustart [...] > rebooting with > a LiveCD and grabbing your data that way. There's something to be said > for deterring casual fiddlers who can't help but touch an open > computer, though, and luckily it's not too hard in Plan 9. obviously... If an attacker got console place, the smartest thing to do (in my opinion) is to steal the hard disks :-) (or insert a bootable cd and throw away avery dummy password and user). thanks, bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-reply-to: References: Date: Wed, 1 Sep 2010 11:48:31 +0200 Subject: Re: [9fans] how to lock cpu console Message-Id: Topicbox-Message-UUID: 4c77ab8e-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 10:55, John Floren wrote: > > This seems to come up every so often. The usual answer, and the one > which I use, is "who cares?" :) Where is your CPU server located? Are > there that many untrustworthy types passing through every day? ok, you unmasked me :-) It was only a teoric question... not a real need :-) > I left > one of my CPU/auth/file servers sitting in a campus lab, accessible by > grad students and some undergrad courses, for over two years and never > saw so much as an "ls" entered, even though I had the keyboard, mouse, > and monitor hooked up the whole time. My biggest problem was that > people kept unplugging the network cable to use with their laptops! mine too :-) [...] > There is also, somewhere, a screen locker program that (I think) Rob > wrote a few years back; I compiled it and used it successfully last > year, and you could certainly stick that in your cpustart to > automatically lock the screen. However, for the life of me I can't > find the code right now, so maybe somebody else can point to it. this sounds good, a screen locker called by cpustart [...] > rebooting with > a LiveCD and grabbing your data that way. There's something to be said > for deterring casual fiddlers who can't help but touch an open > computer, though, and luckily it's not too hard in Plan 9. obviously... If an attacker got console place, the smartest thing to do (in my opinion) is to steal the hard disks :-) (or insert a bootable cd and throw away avery dummy password and user). thanks, bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com (baux80 at gmail.com) Date: Wed, 1 Sep 2010 11:56:03 +0200 Subject: [9fans] how to lock cpu console In-Reply-To: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> Message-ID: Topicbox-Message-UUID: 4c8ba4e0-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 11:04, erik quanstrom wrote: > i didn't suggest lock for cpu servers since it requires > rio. seems silly to run rio on the console just to lock it. > and unfortunately, i think this method would also interfere > with the serial console. and it wouldn't be immune to > a three-fingered salute, ^P, ^T^Tr, and other hilarity. yeah :-) as replied to John Floren, was only a teoric question (an I suspected the answer). For some unix server too we let the colsole logged. In hard crash condition also the login processo don't work, and having a console logged in is useful and doesn't take security away > since there are no interrupts on the console, it would seem > trivial to me to, ahem, lock down the console with a 10 line program. > you'd be left with defending against ^T^Tr, ^P, etc. > but then again, the power button or network cable is sooo > convienent. heck, just take the machine home. :-P. who care user/pass when you can pull of hard drives :-) thanks :-) bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-reply-to: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> Date: Wed, 1 Sep 2010 11:56:03 +0200 Subject: Re: [9fans] how to lock cpu console Message-Id: Topicbox-Message-UUID: 4c7f4b32-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 11:04, erik quanstrom wrote: > i didn't suggest lock for cpu servers since it requires > rio. seems silly to run rio on the console just to lock it. > and unfortunately, i think this method would also interfere > with the serial console. and it wouldn't be immune to > a three-fingered salute, ^P, ^T^Tr, and other hilarity. yeah :-) as replied to John Floren, was only a teoric question (an I suspected the answer). For some unix server too we let the colsole logged. In hard crash condition also the login processo don't work, and having a console logged in is useful and doesn't take security away > since there are no interrupts on the console, it would seem > trivial to me to, ahem, lock down the console with a 10 line program. > you'd be left with defending against ^T^Tr, ^P, etc. > but then again, the power button or network cable is sooo > convienent. heck, just take the machine home. :-P. who care user/pass when you can pull of hard drives :-) thanks :-) bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> In-reply-to: References: Date: Wed, 1 Sep 2010 12:09:08 +0200 Subject: Re: [9fans] how to lock cpu console Message-Id: Topicbox-Message-UUID: 4c833fc6-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 13:45, Skip Tavakkolian <9nut@9netics.com>wrote: > see: /n/sources/contrib/steve/rc/conslock > > if you have more than one cpu, change this line: > pwd=$home/lib/conslock.hash > to > pwd=$home/lib/conslock.^$sysname^.hash works well! :-) If some say I'll leave cpu server in a uncontrolled place I'll use it :-) thanks bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: baux80@gmail.com (baux80 at gmail.com) Date: Wed, 1 Sep 2010 12:09:08 +0200 Subject: [9fans] how to lock cpu console In-Reply-To: References: Message-ID: Topicbox-Message-UUID: 4c901ebc-ead6-11e9-9d60-3106f5b1d025 On 31 August 2010 at 13:45, Skip Tavakkolian <9nut at 9netics.com>wrote: > see: /n/sources/contrib/steve/rc/conslock > > if you have more than one cpu, change this line: > pwd=$home/lib/conslock.hash > to > pwd=$home/lib/conslock.^$sysname^.hash works well! :-) If some say I'll leave cpu server in a uncontrolled place I'll use it :-) thanks bye From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 1 Sep 2010 11:11:26 -0400 To: 9fans@9fans.net Message-ID: In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4c9bf296-ead6-11e9-9d60-3106f5b1d025 On Wed Sep 1 00:23:45 EDT 2010, benavento@gmail.com wrote: > now there's also screenlock(8) > > http://plan9.bell-labs.com/magic/man2html/8/screenlock > > similar to conslock, but authenticates against the auth server not similar. it depends on rio. - erik From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 13:57:11 -0300 Message-ID: From: "Federico G. Benavento" To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cb1bd74-ead6-11e9-9d60-3106f5b1d025 you right, I thought conslock was rob's lock program http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/ On Wed, Sep 1, 2010 at 12:11 PM, erik quanstrom wro= te: > On Wed Sep =C2=A01 00:23:45 EDT 2010, benavento@gmail.com wrote: >> now there's also screenlock(8) >> >> http://plan9.bell-labs.com/magic/man2html/8/screenlock >> >> similar to conslock, but authenticates against the auth server > > not similar. =C2=A0it depends on rio. > > - erik > > --=20 Federico G. Benavento From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 1 Sep 2010 13:22:52 -0400 To: benavento@gmail.com, 9fans@9fans.net Message-ID: In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cb863c2-ead6-11e9-9d60-3106f5b1d025 On Wed Sep 1 12:58:54 EDT 2010, benavento@gmail.com wrote: > you right, I thought conslock was rob's lock program > > http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/ i hate doing this, but that depends on rio, too. the open of /dev/screen -> error() -> exits("fatal error"); - erik From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 13:44:46 -0400 Message-ID: From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cbe599e-ead6-11e9-9d60-3106f5b1d025 On Wed, Sep 1, 2010 at 1:22 PM, erik quanstrom wrot= e: > On Wed Sep =C2=A01 12:58:54 EDT 2010, benavento@gmail.com wrote: >> you right, I thought conslock was rob's lock program >> >> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/ > > i hate doing this, but that depends on rio, too. =C2=A0the open of > /dev/screen -> error() -> exits("fatal error"); > > - erik > > Thus, screenlock is like rob's lock program... rio is such a minor thing to run on today's massive machines, I'm not sure I really see the problem in starting it on your cpu server anyway. I frequently set them up to launch into rio because: 1. It's easier to fix things when I can cat /dev/kprint in a window rather than have it constantly interrupting me 2. I like to be able to interrupt programs 3. It's nice to run more than one thing at once, have a graphical editor, e= tc. 4. Full-screen stats is pretty Of course, none of these reasons matter to you, since you don't run rio on your servers AND you don't think there's any reason to lock them (I agree!), I'm just pointing out that graphical lockers and rio in general are far from useless on a cpu server. John --=20 "With MPI, familiarity breeds contempt. Contempt and nausea. Contempt, nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 14:56:11 -0300 Message-ID: From: "Federico G. Benavento" To: erik quanstrom Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: 9fans@9fans.net Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cd188ca-ead6-11e9-9d60-3106f5b1d025 On Wed, Sep 1, 2010 at 2:22 PM, erik quanstrom wrot= e: > On Wed Sep =C2=A01 12:58:54 EDT 2010, benavento@gmail.com wrote: >> you right, I thought conslock was rob's lock program >> >> http://plan9.bell-labs.com/sources/patch/sorry/robs-bits/ > > i hate doing this, but that depends on rio, too. =C2=A0the open of > /dev/screen -> error() -> exits("fatal error"); > > - erik > exactly --=20 Federico G. Benavento From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 1 Sep 2010 14:14:30 -0400 To: 9fans@9fans.net Message-ID: In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cd67efc-ead6-11e9-9d60-3106f5b1d025 > rio is such a minor thing to run on today's massive machines, I'm not > sure I really see the problem in starting it on your cpu server > anyway. I frequently set them up to launch into rio because: > 1. It's easier to fix things when I can cat /dev/kprint in a window > rather than have it constantly interrupting me > 2. I like to be able to interrupt programs > 3. It's nice to run more than one thing at once, have a graphical editor, etc. > 4. Full-screen stats is pretty > > Of course, none of these reasons matter to you, since you don't run > rio on your servers AND you don't think there's any reason to lock > them (I agree!), I'm just pointing out that graphical lockers and rio > in general are far from useless on a cpu server. i'll buy that. but i think you're missing the basic reason that the plan 9 cpu console is so minimal. there's no reason to use one, unless you are doing the most basic of system maintence. and using one is not without risk. for example - you've got admin privs. it's easy to forget any abuse this. - an errant ^T^Tr ^P or vulcan nerve pinch reboots the server and not your terminal. here are some additional reasons that rio makes life more difficult - the serial console is now useless; no fixing or rebooting the machine from home - you need a kvm port or a real keyboard/video/mouse to fiddle with the machine even locally. for me, the loss of the serial console alone makes running rio on a cpu server a non starter. the serial console has saved me a good 3-4 trips into the office this year. - erik From mboxrd@z Thu Jan 1 00:00:00 1970 Date: Wed, 1 Sep 2010 20:24:20 +0200 From: frank@inua.be To: 9fans@9fans.net Message-ID: <20100901182420.GB25019@chiron.galaxy> References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cdff9c8-ead6-11e9-9d60-3106f5b1d025 On Wed, Sep 01, 2010 at 01:44:46PM -0400, John Floren wrote: > rio is such a minor thing to run on today's massive machines, I'm not > sure I really see the problem in starting it on your cpu server > anyway. I frequently set them up to launch into rio because: - When a keyboard and a mouse are attached, rio without a window protects you a little bit from accidentally typing something meaningfull on the keyboard (I've got kids). - The fine grey background almost looks like my favorite screensaver mode (blank). Of course, to wake up the monitor from time to time, you need to have a keyboard or mouse connected... oops;-) -- Frank Lenaerts ---------------------------------------- frank@inua.be From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> Date: Wed, 1 Sep 2010 14:31:20 -0400 Message-ID: From: John Floren To: Fans of the OS Plan 9 from Bell Labs <9fans@9fans.net> Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4ce83890-ead6-11e9-9d60-3106f5b1d025 On Wed, Sep 1, 2010 at 2:14 PM, erik quanstrom wrot= e: >> rio is such a minor thing to run on today's massive machines, I'm not >> sure I really see the problem in starting it on your cpu server >> anyway. I frequently set them up to launch into rio because: >> 1. It's easier to fix things when I can cat /dev/kprint in a window >> rather than have it constantly interrupting me >> 2. I like to be able to interrupt programs >> 3. It's nice to run more than one thing at once, have a graphical editor= , etc. >> 4. Full-screen stats is pretty >> >> Of course, none of these reasons matter to you, since you don't run >> rio on your servers AND you don't think there's any reason to lock >> them (I agree!), I'm just pointing out that graphical lockers and rio >> in general are far from useless on a cpu server. > > i'll buy that. =C2=A0but i think you're missing the basic reason > that the plan 9 cpu console is so minimal. =C2=A0there's no > reason to use one, unless you are doing the most basic of > system maintence. =C2=A0and using one is not without risk. > for example > - you've got admin privs. =C2=A0it's easy to forget any abuse this. > - an errant ^T^Tr ^P or vulcan nerve pinch reboots the > server and not your terminal. > > here are some additional reasons that rio makes life > more difficult > - the serial console is now useless; no fixing or rebooting > the machine from home > - you need a kvm port or a real keyboard/video/mouse > to fiddle with the machine even locally. > > for me, the loss of the serial console alone makes > running rio on a cpu server a non starter. > the serial console has saved me a good 3-4 trips into > the office this year. > > - erik Those are reasonable points, definitely. Since I'm usually the only one to use my servers (except at Sandia, where I share with Ron), abusing my admin privs isn't a big deal. At Sandia, the cpu/auth/file server is connected to a serial multiplexer, so I don't run rio there. At my university lab, I didn't bother to connect a serial line or a KVM, but the server sits right under my terminal, so I can swap the connectors around and get a physical console if I really need one. Sometimes there's a good reason to run rio, sometimes it's actively counterproductive. Now that I've admitted there might be more one way to do a thing, I should probably go put keyboard shortcuts into Acme or something ;-) John --=20 "With MPI, familiarity breeds contempt. Contempt and nausea. Contempt, nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 1 Sep 2010 14:51:44 -0400 To: slawmaster@gmail.com, 9fans@9fans.net Message-ID: <7d4f94be6fb487bacbe3504f99e724c1@ladd.quanstro.net> In-Reply-To: References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="US-ASCII" Content-Transfer-Encoding: 7bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cf0368a-ead6-11e9-9d60-3106f5b1d025 > Those are reasonable points, definitely. Since I'm usually the only > one to use my servers (except at Sandia, where I share with Ron), > abusing my admin privs isn't a big deal. hey, isn't that the windows security model! :-) seriously, don't you open yourself up to more mistakes, if you make it easy to do things as the hostowner? - erik From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corey To: 9fans@9fans.net Date: Wed, 1 Sep 2010 12:14:12 -0700 User-Agent: KMail/1.13.5 (Linux/2.6.35-gentoo-r4; KDE/4.4.5; i686; ; ) References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Message-Id: <201009011214.12488.corey@bitworthy.net> Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cf5c8c0-ead6-11e9-9d60-3106f5b1d025 On Wednesday 01 September 2010 2:56:03 baux80@gmail.com wrote: > > you'd be left with defending against ^T^Tr, ^P, etc. > > but then again, the power button or network cable is sooo > > convienent. heck, just take the machine home. :-P. > > who care user/pass when you can pull of hard drives :-) > I care - because I'm an evil hacker who wants _undetected_ , _long-term_ access to said machine. Stealing the machine or its drive is neigh useless, and in fact totally counter productive. It's like killing the goose that would otherwise be laying golden eggs for me. Also, a logical fallacy: Since X could sometimes be used to thwart Y, then Y is useless in all cases. From mboxrd@z Thu Jan 1 00:00:00 1970 MIME-Version: 1.0 In-Reply-To: <7d4f94be6fb487bacbe3504f99e724c1@ladd.quanstro.net> References: <80191640-DB1A-4681-9289-8C17E0ED21F9@gmail.com> <7d4f94be6fb487bacbe3504f99e724c1@ladd.quanstro.net> Date: Wed, 1 Sep 2010 15:41:18 -0400 Message-ID: From: John Floren To: erik quanstrom Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Cc: 9fans@9fans.net Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4cfbaa74-ead6-11e9-9d60-3106f5b1d025 On Wed, Sep 1, 2010 at 2:51 PM, erik quanstrom wrot= e: >> Those are reasonable points, definitely. Since I'm usually the only >> one to use my servers (except at Sandia, where I share with Ron), >> abusing my admin privs isn't a big deal. > > hey, isn't that the windows security model! =C2=A0:-) > > seriously, don't you open yourself up to more mistakes, > if you make it easy to do things as the hostowner? > > - erik > I don't *work* as bootes, I just set things up/fix things as bootes when the hostowner is absolutely required. I already put my account in the adm and sys groups, so I can get just about as much abuse as I want without ever logging in as the hostowner. John --=20 "With MPI, familiarity breeds contempt. Contempt and nausea. Contempt, nausea, and fear. Contempt, nausea, fear, and .." -- Ron Minnich From mboxrd@z Thu Jan 1 00:00:00 1970 From: erik quanstrom Date: Wed, 1 Sep 2010 15:52:40 -0400 To: corey@bitworthy.net, 9fans@9fans.net Message-ID: In-Reply-To: <201009011214.12488.corey@bitworthy.net> References: <4cefc0a5c0d62eb41b916816776836e1@brasstown.quanstro.net> <201009011214.12488.corey@bitworthy.net> MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4d021daa-ead6-11e9-9d60-3106f5b1d025 > Also, a logical fallacy: Since X could sometimes be used to thwart Y, then > Y is useless in all cases. i think the correct statement of the thinking (or at least my thinking) is we want to assert X, but since Y defeats X, we require !Y to assert X. in something closer to english, the assertion is that if one requires a secure server, you've got to have physical security. since there are too many easy ways to circumvent most known security measures given physical access. i don't think this assertion has anything to say about console locking, just that it doesn't solve the stated problem— execepting, of course, if the data on non-volatile storage is is encrypted and the key is lost on reboot. - erik From mboxrd@z Thu Jan 1 00:00:00 1970 From: Corey To: 9fans@9fans.net Date: Wed, 1 Sep 2010 13:23:14 -0700 User-Agent: KMail/1.13.5 (Linux/2.6.35-gentoo-r4; KDE/4.4.5; i686; ; ) References: <201009011214.12488.corey@bitworthy.net> In-Reply-To: MIME-Version: 1.0 Content-Type: Text/Plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-Id: <201009011323.14673.corey@bitworthy.net> Subject: Re: [9fans] how to lock cpu console Topicbox-Message-UUID: 4d062e5e-ead6-11e9-9d60-3106f5b1d025 On Wednesday 01 September 2010 12:52:40 erik quanstrom wrote: > > Also, a logical fallacy: Since X could sometimes be used to thwart Y, > > then Y is useless in all cases. >=20 > i think the correct statement of the thinking (or > at least my thinking) is >=20 > we want to assert X, but > since Y defeats X, we require !Y to assert X. >=20 > in something closer to english, the assertion is that > if one requires a secure server, you've got to have physical > security. since there are too many easy ways to circumvent > most known security measures given physical access. >=20 > i don't think this assertion has anything to say about > console locking, just that it doesn't solve the stated problem=E2=80=94 > execepting, of course, if the data on non-volatile storage is > is encrypted and the key is lost on reboot. >=20 Well, security isn't a binary state; it exists within a spectrum: it's prudent and logical to utilize all means possible - and especially=20 to cover the low hanging fruit. It could be said that a locked door is security theatre - because all it takes is a lockpick or crowbar to circumvent. Or that a helmet is useless, because it doesn't prevent death from blood-loss or shock sustained from other injuries. Console passwords are an effective and relevant _auxiliary_precaution_ , to be utilized in addition to the other available methods at one's=20 disposal - and they're such a no-brainer... it seems like more of=20 a questionably useful symbolic gesture to not include such a simple mechanism right out of the box as standard ops. BUT... that's all for me with regards to this debate - I don't want to get into it again. (c8=3D I know better than to argue on 9fans. Cheers! Corey